Will serve as the primary certifier main liaison and driving force for all C&A efforts to include ensuring ISSOs complete a FIPS-199, PTA, e-authentications, CPs, CPTRs, SSPs, and 800-53As, and personally delivering RAs, ST&E Plans, SARs, and ATO Letters. While TSA engineers conduct the majority of the technical scans on TSA information systems, the contractor shall cipher through thousands of lines of scanning results in order to identify and create POA&Ms for the information systems under their responsibility.
TSA currently has 83 operational TSA IT Systems and a minimum of 30 Development systems. There is an annual 10% expectation of growth for operational systems. The contractor shall be capable of managing between 7-10 systems per individual throughout the entire C&A lifecycle to include Continuous Monitoring. Continuous Monitoring includes, but is not limited to, POA&M management, waiver and exception support, and periodic recertification. In addition, the contractor shall serve as the focal point for all C&A activities to the ISSO, System Owner, and Program Official.
- Responsible for all phases of C&A to ensure compliance and provide guidance on IT Security requirements to assigned stakeholders.
- Assist in developing and executing the agency Certification & Accreditation Program
- HSTS03-11-R-CIO556 – version 14.0 Page 12 of 28
- Assist in developing unified guidelines and procedures for conducting certifications and/or system-level evaluations of federal information systems and networks including the critical infrastructure of TSA.
- Stay abreast of industry and Government standards to include DHS and TSA Security Policies and Technical Standards
- Advise the Government on new standards and make recommendations on new IT Security technologies to improve efficiencies.
- Conduct C&A Kick-off Meetings;
- Prepare the Security Test & Evaluation (ST&E) Plan;
- Conduct the ST&E Kick-off Meeting;
- Conduct the ST&E Execution via document examination, interviews and manual assessments;
- Analyze automated scan results;
- Populate the Requirements Traceability Matrix (RTM) with results of ST&E;
- Perform Risk Analysis;
- Create a Security Accreditation Report (SAR);
- Create a Plan of Action and Milestones (POA&M);
- Conduct ST&E Findings Meeting with the System Owner, ISSO and other system personnel as required.
- Communicate with ISSO on continuous monitoring activities related to Plan of Action and Milestone closures, waivers and exceptions;
- Coordinate courtesy scans with ISSOs and Security Engineers as requested by assigned systems;
- Advise new system development teams on DHS and TSA Security Policies and Technical Standards;
- Track security activities of assigned systems and brief senior leadership on said activities;
- Attend Security Training as requested by senior leadership;
- Advise ISSOs on successful completion of System Security Plans, Contingency Plans, FIPS 199 and E-Authentication Workbooks.
- Responsible for ensuring assigned systems are decommissioned according to DHS and TSA Media Sanitization Policies.
- Primary Certifiers shall meet the DHS monthly metric of a 96% success rate of ATOs completed basis.
Applicants selected will be subject to a government security investigation and must meet eligibility requirements for access to classified information. Interim Secret clearance is required and must be clearable to the Top Secret level.
- Minimum of 3 years demonstrated experience conducting vulnerability and analysis of operating platforms (i.e. UNIX, Solaris, and Microsoft). Minimum 3 years experience performing compliance testing and analysis of web facing applications and database schema. Minimum 3 years related security experience.
- Certification: Certification and Accreditation Professional (CAP), CISSP, CISM or CISA certification is preferred
- Proficiency in MS Word due to their responsibility in writing several security artifacts to include documents such as Security Testing & Evaluation Plans.
- Contractor must be proficient in developing and presenting, both verbally and in writing, highly technical information and presentations to non-technical audiences at all levels of the organization. Audiences for this information include, but are not limited to, senior executives at TSA and other agencies.
- Working knowledge of the NIST 800 publications governing the FISMA Act.
- Working knowledge of the NIST 800 series publications to include but not limited to: 800-30, 800-37, 800-53 and 800-53a.
- Experience operating vulnerability scanning tools (i.e. NESSUS, AppDetective, WebInspect and ISS) and others as required.
- Experience performing analysis of data from the scanning tools.
- Travel: 15%